GNOME.org

Disable command-line access

To disable command-line access for your desktop user, you need to make configuration changes in a number of different contexts. Bear in mind that the following steps do not remove the desktop user's permissions to access a command line, but rather remove the ways that the desktop user could access the command line.

  • Set the org.gnome.desktop.lockdown.disable-command-line GSettings key, which prevents the user from accessing the terminal or specifying a command line to be executed (the Alt+F2 command prompt).

  • Prevent users from accessing the Alt+F2 command prompt.

  • Disable switching to virtual terminals (VTs) with the Ctrl+Alt+function key shortcuts by modifying the X server configuration.

  • Remove Terminal and all other terminal applications from the Activities overview in GNOME Shell. You will also need to prevent the user from installing a new terminal application.

Disable the command prompt

  1. Create the user profile which contains the following lines:

    /etc/dconf/profile/user

    user-db:user
system-db:local

    local is the name of a dconf database.

  2. Create a local database for machine-wide settings in /etc/dconf/db/local.d/00-lockdown:

    # Specify the dconf path
[org/gnome/desktop/lockdown]

# Disable the command prompt
disable-command-line=true

  3. Override the user’s setting and prevent the user from changing it in /etc/dconf/db/local.d/locks/lockdown:

    # List the keys used to configure lockdown
/org/gnome/desktop/lockdown/disable-command-line

  4. Update the system databases:

    # dconf update

  5. Users must log out and back in again before the system-wide settings take effect.

Disable dropping to a virtual terminal

Users can normally use the Ctrl+Alt+function key shortcuts (for example, Ctrl+Alt+F2) to switch from the GNOME desktop to a virtual terminal.

If the computer is running the X Window System, you can disable access to all virtual terminals by adding a DontVTSwitch option to the Serverflags section in an X configuration file in the /etc/X11/xorg.conf.d/ directory.

  1. Create or edit an X configuration file in /etc/X11/xorg.conf.d/. For example, /etc/X11/xorg.conf.d/10-xorg.conf:

    /etc/X11/xorg.conf.d/10-xorg.conf

    Section "Serverflags"

Option "DontVTSwitch" "yes"

EndSection

  2. Restart the X server for the changes to take effect.